Mostly Functional C# 


cſori 


Background, Aka Why? 


+ My (recent) history: 
— “No more free lunch” in 2004, on the CLR Team. 
— Software transactional memory in 2005. 
— Began Parallel LINQ (PLINQ) also in 2005. 
— Evolved into Parallel Extensions to .NET Framework (4.0) in 
2007, served as lead / architect. 
— Shipping in Visual Studio 2010. 
And in the meantime, realized we need more 
fundamental changes to enable safe parallelism. 
— Began with “purely functional”. 
— And evolved to “mostly functional” over past 1% years. 


Or, in the words of Simon Peyton Jones 


“[A] big programming-language theme over the next 
ten years will be mechanisms to restrict or control 
unrestricted side effects.. One way or another[,] we 
need to get a handle on those effects.” 


--- Caging the Effects Monster: the next big challenge, 
Simon Peyton Jones, QCon 2008 
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What is Midori? 


Systems incubation under Eric Rudder 


75 people, almost entirely developers and 
architects 


New operating system (spawn of Singularity) 
New application programming model 

Large compiler effort 

Legacy free (mostly) 


Key Midori Assumptions 


Cloud is integral 
— User-data in the cloud (partially) 
— Services in the cloud 
Clients are not simple 
— Multi-core and many-core 
— Rich functionality with local data 
— Multiple clients per person 
Clients are mobile 
— Occasionally-connected networks 
— High and variable latencies (e.g., network & memory) 
— Power management is essential 
Security, safety, and reliability are crucial 


Key Midori Goals and Principles 


Refresh the software stack for modern issues 

— Existing OSes and app models are ^30 years old 
Reliability 

— Memory, type, concurrency safety guaranteed 

— “Correct by construction” 

— Responsiveness: “asynchonous everywhere” 
Security 

— Capability-based: no ACLs 

— “Secure by construction” 
Support using hundreds of cores well 
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Design Approach 


+ A prototype extension of the Cit language. 
* Make functional programming in Cit the default: 
— Cit = {imperative + dynamic + functional } 
— Methods do not mutate existing state. 
— Immutable types are first class. 
* Allow imperative programming where familiar, 
convenient, and/or more efficient: 
— Thisis still C#! Iteration, objects, etc. 
— Statecan be mutated, but only where declared. 
* Why? 
— Deterministic, safe parallelism. 
— Robustness, reliability, and contracts. 


Inspiration 


Haskell. M 

— They can do implicit parallelism. 

— The safety problem is solved: 
+ We can only ever hope to do as good as them, but no better, 
+ Parallelism is constrained by data 
* Places emphasis on feedback directed optimizations. 

* Launchbury, Jones, Wadler: 

— “Lazy functional state threads.” 

— "Imperative functional programming.” 


swap :: MutVar s a -> MutVar s a -> ST s () 
swap v w = readVar v — 'thenST \a -> 
readVar w — 'thenST \b -> 
writeVar v b "thenST 
writevar w a 


A Landscape of Concurrency 


fe 


(05ts, dor es, XSUT, etc) 


Explicit, Unsafe 
(parallel 
infrastructure] 


Cut to the Chase 
* Mode #1: Auto-parallelize, when safe: 
= var q = from x in xs. AutoParallel() — 
where (x 8 1) = 
select x * . est; 
— int c = 0.03f; 
var q = from & in n Autoparalje 
where (x 8 1) == 
select x * (c += o: 6570 
Mode #2: Compiler error, when unsafe: 
= var q = from x in xs AsParallel() 
where (x 4 1) == 
Select x © Cesc, 
— int c = 0.03f; 
var q = fron x in xs. AsParallel() 
where (x & 1) 


EAE EE M E 


Feature List (Big-to-Small) 


Object isolation model 

Immutable types 

Non-nullability 

Lineartypes 

“where T: S(... )" specialization / matching 
Async “future” lifting 

Tuples 


A Word of Caution NU 


* Everything in MfC# is an experiment. 
No commitment to add it to Cit, in any way. 
— In the process of adopting it in Midori. 
— See how it goes, and let DevDiv know. 
e mo ooo release is coming soon... 
— In the next couple weeks. 
— Complete with a “Programming Guide” overview. 
— And prototype of “safe data parallel” APIs. 
—Join ‘tse’ alias for updates / announcements. 
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Key Idea: Object Isolation 


No mutable statics. 
Permission tagged references: 
= writable Foo wFoo: all state in the graph can be read/written. 
- readable Foo rFoo: all state in the graph can be read. 
.o iFoo:only readonly fields in the graph can be read. 
Implicit coercion: writable > readable > immutable. 
Default if unstated: 
— Usually readable (functional by default). 
Sometimes immutable (for references of immutable types). 
Appears in any position (see next slide). 


Where Can Permissions Appear? 


Fields: 
= class C ( public writable T 
Local variables: 

= public isolated void M() ( writable T obj = 
Formal parameters: 

— public isolated void M(writable T obj) ( - } 
Return parameters: 

= public isolated writable T MO ( -) 

The hidden ‘this’ parameter for instance methods: 
= public isolated void M() writable ( ~ } 


5) 


(The same locations for isolated delegates.) 


Actual parameters for generics: 
- Listewritable T» list = new Listowitable D); 


Permission combining 


* Obtaining a field value combines permissions: 
— Accessing a field yields the least permissive of the 
field and the source reference. 
— E.g., writable U via a readable T => readable U. 
+ Ensures “deepness”. So: 
— immutable Foo f: no mutable state accessible via f. 
* Generics similarly combine between generic and 
instantiation. 
— E.g., writable T will yield least permissive between 
writable and concrete instantiation. 


An Object Graph 


EX 


2 


«Red lens preserves all colors. 
«Green lens filters out red. 
«Blue lens makes everything blue. 


Writable Object Graph 


ce 0 


0 wObj = new Foo(); 
*Redlens preserves all colors. 
«Green lens filters out red. 

“Blue lens makes everything blue. 


Readable Object Graph 


Foo rObj = w0bj; 
“Red lens preserves all colors. 
«Green lens filters out red. 
“Blue lens makes everything blue. 


Immutable Object Graph 


os * e? 2- 


sse 40bj = rObj; 


“Red lens preserves all colors. 
«Green lens filters out red. 
«Blue lens makes everything blue. 


But Wait! There's More! 


Co- and contravariant permissions on override. 
Í public abstract class A ( abstract immutable Y MC) writable; ) 
= public class B: A ( override /*readabler/ Y MC) En 


. Local variable permission inference. 
. = d.Gettnimerstor(); 
— (0); 


. Anonymous method inference. 


public delegate void OT e); 
Public isolated delegate void 1500(T e); 


vola MD d); 


Isolated void £0 0 


20 => FO); // OR! Binds to mto); 
AO => gO): // OKI Binds to M(Is00); 


Example: String Concatenation 


* No new annotations: 


public string Concat(string[] ss) { 
var sb = new StringBuilder(); 
foreach (string s in ss) 
sb. Append(s) ; 
return s.ToString(); 


H 
* Relies on defaults; expanded code is: 


public immutable string Concat(readable string[immutable] ss) { 
writable StringBuilder sb = new StringBuilder(); 
foreach (immutable string s in ss) 
sb.Append(s); 
return s.ToString(); 


Example: [Collection 


interface ICollection<T> { 
bool Contains(); 
int Indexof(T item); 
void CopyTo(writable T[] array, int arrayIndex); 
int Count { get; } 
bool IsReadOnly ( get; } 


void Add(T item) writable; 
void Clear() writable; 
bool Remove(T item) writable; 


Isolation in Midori 


Message passing 
LY 


* Everything above the line uses 
TSE by default. 
— No freethreading, memory models. 
— Small # of abstractions that don't. 
— E.g., Lazy«T», data parallel, etc. 
— Below the line is opt-in. 
* Single threaded processes. 
— Communicate via message passing. 
— Internal data parallelism. 
gut only the safe kind. 


D. 
* 


Isolated Object Graphs 


delegate T PureFunc<T>() immutable; 


"The Bubble" 


ee x? 


*Statically provenisolated, 
«No runtime overhead. 
«No in- or out-references. 


Safe Parallelism 


* Concurrency ground rules: 
— Notwo threads ever see the same object as writable at once. 
— No thread sees an object as readable while another sees it as writable. 
— Anobject can always be seen as immutable. 

* Two categories: 


"T iin opion 
Structured Unstructured 
* Structured is split into two subcategories: 


— in-place updates: e.g., arrays, isolated object graphs. 
— Functional: e.g., LING-like data comprehensions. 


A Few Examples 


* Parallel Fibonacci: 
public static int Fib(int n) ( 
46 (n <= 1) retum 1; 
var result = Parallel.Invoke(() => Fib(n - 2), () => Fib(n - 1); 
return deset. Keel + result.Ttes2; 
Uu 


* LINQ-like comprehensions: 


public static int[] InverseOdós(int[] input) ( 
return input.AsParallel(). 
Filter(x => (x & 1) se 1). 


Map(x => -x] 
Anyrace conditions 
Execute(); ugs 


4 are flagged as 


compile-time errors. 


A Few Examples 


* Parallel Fibonacci: 
public static int Fib(int n) ( 
4 (n <=) return 1; 
var result = Parallel .Invoke(() => Fib( 
return resilt.Iteel + result. Tend; 
* 


* LINQ-like comprehensions: 


public static int[] InverseOdds(int[] input) { 
return input.AsParallel(). 
Filter(x => (x & 1) se 1). 


x => 8 
s nenen, 
" are agar as 
compile-time errors 


error cs20004: Object only has ‘readable’ access: storing to a Held requires ‘writable! 


„. 0 => FO) 


Benevolent Side Effects 


“(T]here is no one right way of writing every program and a language 
designer has no business of trying to force programmers to use a particular 
style. The language designer does, on the other hand, have an obligation 
to encourage and supporta variety of styles and practices that have 
proven effective and to provide language features and tools to help 
programmers avoid the well known traps and pitfalls.” 


dome Stroustrup, 
A History of C++: 1979—1991 


Benevolent Side Effects 


+ Systemabstractionsmust lie sometimes: 
= Nomutablestaics? public static deus s foo = new Latro C); 
+ Solong as they dynamically preserve the safety, unstrict can be used: 
public class LazyeT> where T : class ( 
private T m value; 
private LazyFunceT> m func = -; 
private object m lock = nex object; 


publie T Value ( 


get ( 
Af (m value == null) 
wnstrict ( 
lock (a lock) 


return value; 
B 
H 
) 
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Immutable Types 


* Marking any type as immutable: 


—All fields are readonly (unless marked mutable). 
— “Shallow” immutability. 


* Property initializers: 
= immutable class ImmStack<T> { 
private static ImmStack<T> Empty 


public ImmStack«T» Head ( get; ) 
public T Value ( get; ) 


new InnStackc»(); 
Empty; 


) 
* Deep can be obtained with immutable refs. 


Non-Nullability 


A call it my billion-dollar mistake. It was the 

invention of the null reference in 1965.” 

-- Tony Hoare, 
Historically bad ideas, QCon London 2009 

* Only T? references may be assigned null. 

— Unification of nullable<T> for ref and val types. 

— T? coercable to T, but entails a dynamic null check. 
A lot like Spec# non-nullabletypes, Il, but the 

defaultis flipped. 


Linear Types 


* Areference can be marked linear: 

— linear<Graph<T>> graph = ; 

— Noaliases allowed ~= exclusive ownership. 
+ Type must be marked linearizable: 

— No aliasing of ‘this’ during execution. 

— All fields are themselves linear. 
* Allows: 

— Handoff of writable linear objects: 


* writable linear<T> v = .; 
Task<int> t = new Task<int>(o => o.Mutate(), v); 


— Update in-place of linear objects: 


+ writable linear<T> vs[writable] = ..; 
Parallel.ForEach(vs, v => v.Mutate(}); 


Specialization / Matching 


* Static callsite specialization: 
— Pattern matching. 
— More efficient code generation. 
= E.g., 
+ public double SumeT>(T x) 
ea int, double ( 


return x; 


else where T : ListeU> ( 

return Sum(x.Car) + Sum(x.Cdr); 
} 
else ( 
return 1.6; 


Async “Future” Lifting 


* We use “promises” in Midori for async. 
— Any value can be a promise for a value. 
— Pipeline operations against it; or, invoke When 
and, in the callback, you can access the value. 


* AnyT can be marked async<T>: 
- async«T» a <- Remote.Call(); 
- async«U» b <- a.Foo(); // Pipeline. 
— async<V> c <- b.When(v => = v .); // When. 


* Notice that «- is used as "message send". 


Tuples 


* Syntactic sugar for tuples (in. NET 4.0). 
— Usable as “anonymous” types that appear publicly. 
* Afirst class type: 
— (int, DateTime) ~= Tuple<int, DateTime> 
public void M((int, DateTime) v) ( ... V.First ...); 
+ And special initializer syntax: 
— var t = new () ( 42, “hello”, o. if / 
— tis of type (int, string, float) ~= Tuple<int, string, float> 


Addressing Legacy (and Reality) 


* Bifurcation: 
— nonstrict methods don’t abide by the rules. 
— strict methods do. 
* And only call other strict methods. 
* Downward separation: 
— Legacy (nonstrict) can call into new code (strict). 
— Once you're in, you can't get out. 
* "We don't make things worse”. 
— Pass an object as writable to concurrent strict methods. 
— You had a race before. No worse. 
— But we give you a pocket of safety: no mistakes. 


Current Status 


* Initial phase (“is it too crazy to work?"): 
— Integration with Axum's type system (via Q). 
— Customattributes + FxCop verification done. 
+ [Writable] void Foo([Writable] Bar b) ( .. ) 
— Prototypes of: 
* Midori base class libraries. 
* Safe data parallel programming model. 
* Next phase ("get real"): 
— Cit 3.5 compiler work 90% done. 
* Aim to wrap up in a few weeks; after that: all of Midori uses it. 
+ Willgoupon | 00. 
— Data parallelism, race free finalization, message passing. 
— implicit in several areas (e.g., LINQ, Array Sort). 


The Road Ahead: Challenges 


+ Is opt-in to imperative mutation cumbersome? 
— writable by default makes it easier. 
— But relies on abstinence to go functional. 


— The bet: mostly functional is the sweet spot; hence less 
ceremony. 


* Safe parallelism is sometimes limiting: 
— No ad-hoc inter-thread communication. 
— The bet: race freedom is well worth it. 
* What to do with the existing libraries. 
— Slowly move them on to the new plan? 
— But what about interfaces, events, callbacks, 
— And other languages who don't care: Python, Ruby, ... 
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Q&A 


* http://toolbox/mfesharp/ 
* http://midori/ 


cori 


Specialization / Matching 


* Static callsite specialization: 
— Pattern matching. 
— More efficient code generation. 
= E.g., 
+ public double SumeT>(T x) 
ea int, double ( 


return x; 


else where T : ListeU> ( 

return Sum(x.Car) + Sum(x.Cdr); 
} 
else ( 
return 1.6; 


